Cyber-shopping from work creates big exposure

Innocent lunchtime holiday shopping can turn into a real gift to cyber criminals.

A new study by Adobe projects holiday e-commerce will hit a record $107 billion, with mobile leading the way.

There’s one wrinkle in regard to that news that banks (and any business) should be aware of. It relates to something that just about everyone working in a business has done at one time or another: use a corporate email address, and, worse, their corporate password, for shopping, or to verify their identity for a personal email account. This practice can substantially increase a bank’s risk of compromised credentials leading to cyber breaches.

The issue was raised recently in an email sent on behalf of InfoArmor, a company operating at the epicenter of cyberfraud. The company provides identity theft protection for employee benefit plans, on the one hand, and, on the other, monitors the so-called dark web to provide preemptive threat assessments, alerts, and advisories to various businesses, governments, and law enforcement agencies.

(“The dark web, or dark net—quoting from the Banking Exchange article, “Tales from the dark web”—is a part of the internet not indexed by Google. It has some legitimate uses but is mainly a “criminal flea market” for drugs, guns, information, credit cards, identities, and people.)

Gift that keeps on hurting

The holiday season is the peak time for compromised corporate credentials, according to Christian Lees, chief information security officer at InfoArmor.

“Considering the tremendous amount of time individuals spend at work, naturally some of our personal behavior weaves its way into our corporate environment,” Lees explains, putting it kindly. “For example, mailing lists and third-party site enrollment tends to peak during holiday season, often due to retailer campaigns, targeting marketing, and consumer behavior.

“Consumers use corporate credentials to shelter spending habits, tend to use their work email more than others, or naturally keeping the gift a secret in anticipation for the holidays,” Lees continued. While these behaviors are understandable, he said, they tend to greatly endanger the employees’ organization.

Lees' colleague, Byron Rashed, vice-president of Global Marketing, Advanced Threat Intelligence, is a little more blunt about it. In an interview he observes that people in IT will say to people in HR when there’s been a compromise, “‘We didn’t get breached, where did this problem come from?’”

Actually, says Rashed, “a lot of times they use corporate credentials and passwords when dealing with third parties [for business, not shopping] because they’re human and can’t remember multiple passwords.”

Want more banking news and analysis?

Get banking news, insights and solutions delivered to your inbox each week.

But if these credentials get into the hands of “threat actors” via a compromised third party, Rashed continues, then the bad guys can go online and “find out anything about anybody.” They employ password generators and “password crackers” to penetrate the corporate network. Once they have corporate credentials, he says, it’s simple to figure out the domain and find out about people working there.

Dealing with third parties for business

“Most compromised credential breaches do not occur within the organization,” observes Rashed. “They are usually compromised through a third-party site where the user has created an account using their corporate email, and in many cases with the same corporate password. If the third-party site is breached, this is literally giving the threat actor ‘the keys to the kingdom’.”

The lesson, says Rashed, is simple: “Don’t use corporate credentials or passwords for personal contacts. And if you have to deal with a third party for business”—for example, using a cloud service for work-related projects—“and thus have to use your corporate email address, be sure to use a different password.”

“Use something that is totally unrelated to your corporate password or to anything in your job or life,” Rashed advises. “A made-up phrase is best.”

In the email in which he was quoted, Rashed gave additional details on this point:

“Use complex phrases as passwords and modify the characters, if possible. An example would be, ‘EyeLuvHawa11” or similar combinations that are uncommon. Threat actors are very cunning in guessing obvious password phrases.”

Rashed also recommends changing your passwords regularly—every 90 days would be good.

Employee training will help

While human nature will thwart the best-laid plans, Rashed maintains that training of employees by IT and HR teams will raise awareness of the problem and help reduce the exposure.

“The HR chief and the chief information security officer should work up a policy on this, and create training videos,” said Rashed.

In addition, Rashed advises that if your credentials and password are compromised from the third-party site, where you used your corporate email address, reset your password and inform your IT department immediately even though you did not use your corporate password.

“Your IT security staff will most likely have you reset your corporate password to be safe,” he adds.

Finally this, which, while seemingly obvious, bears repeating:

“Physically, everyone should ensure that mobile, tablets, and laptops have password or passcodes on them to access the device, and be vigilant about keeping them nearby and protected,” Rashed wrote in the email. “An obvious potential danger is in the latest version of iOS [the Apple mobile operating system] where ‘Keychain’ can be easily accessed through settings. User names and passwords are available in this feature. If the device is lost or stolen and no passcode protection is on the device, all the user’s accounts within Keychain are at risk.”

Bill Streeter is Editor & Publisher of Banking Exchange. He has been a full-time business journalist for 43 years, 37 of them with ABA Banking Journal. During his time with the Journal, he rose from Assistant Managing Editor to Editor-in-Chief and in 2012 became Editor & Publisher. He has been an observer of momentous changes in banking, from the introduction of ATMs to the 2008 financial crisis and passage of the Dodd-Frank Act. He has won numerous business journalism awards, including being part of a team that won a finalist position in the Jesse Neal Awards, the "Pulitzer Prize" of business journalism.